Firewalls operate by checking incoming and outgoing traffic against a set of rules. These rules might be based on metadata (e.g. port number, IP address, Protocol Type, etc..) or real data, i.e. the payload of the packet.
For example:
* Drop all incoming packets from IP address 1.2.3.4
* Drop all incoming TCP packets on port 22, unless they’re from IP address 2.3.4.5
* Drop all incoming TCP packets with the RST flag set, when the sequence number does not match that of a known connection.
* Drop all incoming and outgoing NetBIOS packets.
* Drop all incoming packets on TCP port 80 that contain the ASCII string 0x31303235343830303536.
Modern firewalls are usually comprised of the following rule sets:
* Base ruleset – usually “block all” followed by a list of exceptions for commonly used services/protocols (e.g. outgoing HTTP requests)
* Custom rule set – a set of user rules designed to override/complement the base ruleset.
* Signature rule set – a set of signatures to prevent against known exploits. An example would be the Havij SQL injection tool. These usually override all other rules. This set is analogous to an anti-malware database and must be updated frequently.
Bypassing a firewall can take seconds many times, depending on whoever is conducting this type of attack, techniques like using a social engineered type of scan, against the firewall itself, fooling it and make it think by spoofing a source address being, for example, a trusted source like Microsoft, using Zombie Technique Scans, by extracting filtered and hidden ports.
Other Ways to bypass a firewall:
* Literally go around it. Find another entry point to the network that does not pass through the firewall. For example, send some malware or an exploit to an internal user via email.
* Exploit a misconfigured firewall by crafting packets that don’t trigger the rules. Difficult, but potentially possible.
* Send custom exploit payloads to the target on an open port. Firewalls can only identify known exploits.
And much more…
It is very crucial to have specific tests performed against your firewalls, no matter what brand and templates you use, hackers are evolving and sophisticated new tools are increasing daily, if you do not catch up, you could hire special teams that can offer such offensive security services. Do not underestimate the threat.
Become a Patron!
